Personal information charter

This notice sets out how we handle your personal data and how we comply with the requirements of the General Data Protection Regulation (GDPR).

If you’re an officer of a company or other corporate entity

This section of the privacy notice sets out how the Registrar of Companies (“the registrar”) handles the personal data of officers of companies and other corporate entities, and sets out how the registrar ensures that the public register of companies (“the register”) complies with the requirements of the General Data Protection Regulation (GDPR).

For further information on what it means to be a company officer, and further detail on how your personal data can be protected, please see this guide.

 Identity of controller and Data Protection Officer (DPO)

The registrar is the controller of your personal data. This means it’s the registrar who decides how and why your personal data is processed. The Companies Act 2006 requires the registrar to collect and publish information, including the personal data of officers of companies and other entities, on the register.

In certain circumstances (for instance if an individual or company is being investigated for a criminal offence) the controller may be Companies House’s sponsoring department, the Department for Business, Energy and Industrial Strategy (BEIS). Companies House is an Executive Agency of BEIS and as such many of the day to day controller responsibilities have been formally delegated to Companies House.

 Purpose for processing

Personal data featuring on the public register of companies is processed for the purpose of making data available for public inspection under a statutory obligation. The registrar’s legal basis for processing is described in more detail below.

 Lawful basis for processing

The registrar is required by the Companies Act 2006 to make certain information, including personal data, publicly available. Part 35 of the Companies Act 2006 sets out the registrar’s obligations, including the requirement to make information, including personal data, available for public inspection. Part 35 of the Companies Act 2006 also sets out many of the requirements for handling personal data – including how it can be rectified in certain circumstances, and how inaccuracies can be amended.

While the GDPR is a European Regulation and therefore has direct effect, it does offer some flexibility to Member States. The Data Protection Act 2018 introduces some domestic exemptions for the UK. Paragraph 5 of Schedule 2 Part 1 of the DPA 2018 provides the following exemption from the “listed GDPR provisions”:

“The listed GDPR provisions do not apply to personal data consisting of information that the controller is obliged by an enactment to make available to the public, to the extent that the application of those provisions would prevent the controller from complying with that obligation.”

Since the registrar is required by the Companies Act to make information available to the public, they’re entitled to rely on this exemption. Therefore, they have an exemption from some elements of the GDPR, including:

  • the requirement to provide ‘privacy notices’ to individuals
  • the requirement to provide personal data in response to subject access requests
  • the requirement to rectify personal data when it is inaccurate
  • the requirement to comply with requests to be ‘forgotten’
  • most of the principles of the GDPR

This means it’s unlikely the registrar will be required, or able, to comply with any exercise of these GDPR rights in respect of personal data appearing on the public register. For example, the registrar will be unable to comply with any request for an individual to be ‘forgotten’ from the public register where they have a legal obligation under the Companies Act to continue to make this personal data available.

If you have any queries or concerns about this, please contact the DPO at dpo@companieshouse.gov.uk.

Presenters’ details

If you file a paper form, you have the option to include certain contact details for the presenter of the form. If you include these presenter details, they’ll be placed onto the public record in the same way as all other information contained within the filing.

 What we do with your data

Before becoming an officer of a company or other entity, it’s important that you’re familiar with the legal implications. As a company officer, we’re required by law to publish some of your personal data on the register. The register is publicly available and accessible by anyone.

Commercial organisations sometimes use data from the register to create their own online products. These organisations then become controllers of your personal data. These organisations must establish how they comply with the data protection law as set out in the GDPR. If you have any concerns about company data on third party products and websites, please contact the organisation directly. We’re not able to advise other organisations on GDPR compliance, and we cannot advise you on whether other organisations are complying with the law.

 Non public data

Some of your personal data will not be made available to the public. This includes the address you provide as your usual residential address and the day of your date of birth. We must collect this information, but it will not be placed on the public register, as long as you do not provide it when asked to give a service address.

We may share your personal data with:

  • other government departments and enforcement agencies
  • debt recovery agents and their appointed solicitors
  • Legal Counsel (in rare complex cases)
  • commercial printers (for instance when we need to print statutory notices)

Sharing will only take place in certain circumstances, and only where permitted or required by law.

If you’re a director or PSC of a company, The Companies Act 2006 also allows the registrar to share information on your usual residential address and your full date of birth with credit reference agencies, unless you qualify for protection. This information is not placed onto the public register.

 Data processors

Since the registrar is a controller for personal data appearing on the register, the registrar is not acting as a data processor (as defined by the GDPR) when maintaining a public register. Individuals, companies, agents and other representatives provide personal data for the public register because they’re required to by law, and not for the registrar to process personal data on their behalf. Because of this, the registrar does not have to provide a ‘statement of GDPR compliance’, or compliance with Article 28 of the GDPR as a data processor.

In some cases, we employ third-party organisations as data processors to carry out elements of processing. For example, an external company to shred paper filings which may contain personal data, or the use of third-party software solutions hosted in the cloud. In all cases, contracts with these companies have been reviewed for the GDPR, and we’ve had assurance from all third-party processors of their own GDPR compliance.

The organisations we employ under contract as data processors are:

  • cloud services in the UK or EU/EEA
  • UK based contact centre
  • UK based secure disposal
  • adjudicators for appeals of late filing penalties
  • UK based debt recovery
  • mail delivery and printing

 Overseas transfers

The register of companies is freely accessible and available to the public, including overseas. Article 49(1)(g) of the GDPR states that a transfer of personal data overseas can take place in the absence of specific safeguards where the transfer is made from a register intended to provide information to the public. This means we do not need to consider the adequacy of data protection regimes in all countries before making the public register freely available online.

 Retention of personal data

Companies House retains all records of companies as long as they’re active. Records of dissolved companies are retained for 20 years, before they’re transferred to the Public Records Office at The National Archives (TNA). This includes all information relating to company directors or its officers.

In response to some concerns about data privacy, we stopped publishing dissolved company records over 6 years old on our free Companies House Service. This interim measure will continue while we review our retention policy on dissolved records. Any changes to the retention period will be subject to public consultation.

However, dissolved company records over 6 years old can still be accessed through our other paid for search services.

Companies House has an agreement with TNA to transfer a selection of our records 20 years after a company is dissolved. This agreement, and the criteria for selection, is set out in the operational selection policy which can be found on TNA’s website.

TNA will direct us to destroy any records that are not transferred.

You can apply to remove your residential address if it’s publicly available in records of live and dissolved companies.

 Complaints

If you have a complaint about the way we’re managing your personal data, you can let us know in the first instance by writing to dpo@companieshouse.gov.uk.

If you’re still dissatisfied, you can raise your concerns with:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

If you’ve contacted us with a complaint or enquiry

You may have written to us, or contacted us by phone, because you have a complaint, or to to ask a question. This section of the privacy notice sets out how we comply with GDPR in handling your correspondence.

If you contact us by phone or in writing, we have no control over the personal data you include in your correspondence, or that you tell us about. We would always advise you to limit the amount of personal data you include in your correspondence, as much as possible. Once received, your personal data will be handled in line with the following privacy notice. This also applies to the personal data of any third-parties that can be identified from your correspondence.

 Identity of controller and Data Protection Officer (DPO)

The registrar is the controller of your personal data. This means it’s the registrar who decides how and why your personal data is processed. As the registrar is responsible for operating the register, they’re also responsible for handling complaints and queries about the register.

In certain circumstances, the controller may be our sponsoring department, the Department for Business, Energy and Industrial Strategy (BEIS). Such as, if an individual or company is being investigated for a criminal offence.

 Data processors

When you write to us or call us, your enquiry will usually be handled by our contact centre (unless you have an ongoing case with a specific team at Companies House). Our contact centre is provided by a third-party organisation. We employ third-party organisations for other elements of processing. In all cases, contracts with these companies have been reviewed for the GDPR, and we’ve had assurance from all third-party processors of their own GDPR compliance.

The organisations we employ under contract as data processors are:

  • cloud services in the UK or EU/EEA
  • UK based contact centre
  • UK based secure disposal
  • adjudicators for appeals of late filing penalties
  • UK based debt recovery
  • mail delivery and printing

 Purpose for processing

When you write to us or call us with a complaint or enquiry, your personal data will only be used for the purpose of handling, investigating and resolving your issue. We’ll use the contact details provided to respond to your correspondence. If you’ve made a complaint about a third-party, we may use the contact details you’ve provided for them to investigate your issue.

 Call recording

In some areas of Companies House, calls are recorded. If your call is being recorded, you’ll be told about this by an automated message, which will also direct you to this document for further information. Calls are recorded for training, quality and monitoring purposes.

 Lawful basis for processing

Our core public function is to provide a public register that’s available for anyone to inspect. We consider the handling of complaints and enquiries about the public register a necessary process for this public function.

 Who we share data with

Often your complaint or enquiry will need specialist advice, and will be passed to the relevant team within Companies House for consideration.

In certain circumstances, and only where permitted or required by law, we’ll share data with other government departments and enforcement agencies.

 Retention of personal data

Companies House retains written correspondence from customers for 10 years. Any call recordings are retained for 18 months.

 Individual rights

The GDPR provides certain rights that individuals may exercise in respect of their own personal data. If you want to exercise any of these rights, you can contact the DPO.

There may be some circumstances in which we cannot comply with your request. Such as, if we have a legal duty to keep data, or to process it in a particular way. We’ll handle all requests to exercise GDPR rights on a case-by-case basis.

 Complaints

If you have a complaint about the way we’re managing your personal data, you can let us know in the first instance by writing to dpo@companieshouse.gov.uk.

If you’re still dissatisfied, you can raise your concerns with:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

If you’re a subscriber to our web services

If you sign up to our services such as WebFiling or WebCHeck, we’ll ask you for a small amount of personal data so we can provide you with an online account and give you secure access to it. Any details provided in this context will only be used for this purpose.

Our joint service with HMRC to set up a limited company and register for Corporation Tax has its own privacy notice.

 Identity of controller

The registrar is the controller for all personal data collected from subscribers to our services. This means it’s the registrar who decides how and why your personal data is processed.

 Data Protection Officer contact details

The DPO can be contacted at dpo@companieshouse.gov.uk.

 Purpose for processing

If you subscribe to our web services, your personal details are held only for the purpose of allocating you an account and allowing you secure access to our services.

 Lawful basis for processing

We consider that processing of the personal data of subscribers to our web services is necessary for our public function. In order to operate an effective public register, we need to provide filers and searchers with online accounts to transact with us.

 Who we share your data with

We do not share your subscriber information with any third-parties.

 Retention of personal data

Companies House will retain personal data collected for the purpose of accessing our web services for as long as you wish to use our services. You can unsubscribe at any time.

 Individual rights

The GDPR provides certain rights that individuals may exercise in respect of their own personal data. If you want to exercise any of these rights, please contact the DPO.

 Complaints

If you have a complaint about the way we’re managing your personal data, you can let us know in the first instance by writing to dpo@companieshouse.gov.uk.

If you’re still dissatisfied, you can raise your concerns with:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

If you’re a subscriber to our communication channels

This part of the privacy notice may apply to subscribers of our communications, such as newsletters or webinars.

We only send useful news and information to people who’ve explicitly given their consent to receive our communications. If you no longer wish to receive communications from us, you can unsubscribe at any time.

 Identity of controller

The registrar is the controller for all personal data collected from subscribers to Companies House communications via our GOV.UK webpage. This means it’s the registrar who decides how and why your personal data is processed.

 Data Protection Officer contact details

The Data Protection Officer can be contacted at dpo@companieshouse.gov.uk.

 Purpose for processing

If you subscribe to our communications channels, your personal details are held only for the purpose of e-mailing you news and information about Companies House which we think may be of interest to you.

 Lawful basis for processing

We only process your personal information where we have your explicit consent. We make sure the consent you’ve provided meets the strict conditions of the GDPR.

 Who we share your data with

We employ third-party organisations to deliver our communications to customers. In this capacity, these organisations are also acting as data processors.

In all cases, contracts with such companies have been reviewed in light of GDPR, and we’ve had assurance from all third-party processors of their own GDPR compliance. We use a third-party organisation to send our email newsletter, and to present webinars on behalf of Companies House.

 Retention of personal data

Personal data collected for the purpose of sending you communications, will be retained by Companies House for as long as you wish to remain subscribed to the communication channel. You can unsubscribe at any time.

 Individual rights

The GDPR provides certain rights that individuals may exercise in respect of their own personal data. If you want to exercise any of these rights, please contact the DPO.

 Complaints

If you have a complaint about the way we’re managing your personal data, you can let us know in the first instance by writing to dpo@companieshouse.gov.uk.

If you’re still dissatisfied, you can raise your concerns with:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Searchers of the public register

Our website does not store or capture personal information, but merely logs the user’s IP address (Internet Protocol: standard allowing data to be transmitted between two devices) which is automatically recognised by the web server.